A team of cybersecurity researchers discovered a flaw in TikTok that exposed personal data, such as phone numbers and profile details, to potential hackers, The Washington Times has learned.
Data privacy concerns on the Chinese-owned video app prompted the Trump administration to pursue banning it. As the Biden administration considers whether to continue that pursuit, TikTok insisted that it does not have reason to think user data was exposed using the problems first uncovered by Check Point Research (CPR).
Check Point Research’s team found that TikTok’s “Find Friends” feature bypassed privacy protections and made it possible for nefarious actors to harvest data and build databases linking phone numbers and users’ profile details for future malicious cyberattacks.
Oded Vanunu, Check Point head of products vulnerabilities research, said his group previously found a security vulnerability in TikTok and wanted to learn whether the social media platform exposed users’ data. Mr. Vanunu found that TikTok did expose users’ data and said he was able to bypass “multiple protection mechanisms” used by TikTok.
“The vulnerability could have allowed an attacker to build a database of user details and their respective phone numbers. An attacker with that degree of sensitive information could perform a range of malicious activities, such as spearphishing or other criminal actions,” Mr. Vanunu said in a statement. “Our message to TikTok users is to share the bare minimum when it comes to your personal data. Update your [operating system] and applications to the latest versions.”
CPR told ByteDance, TikTok’s China-based owner, about the security vulnerability it had discovered.
TikTok told The Washington Times it did have a bug in its system, but it insisted there were no indications or patterns suggesting user data was exploited by cyberattackers using the vulnerability. The company said its highest priorities are “security, privacy, and safety.”
“We appreciate the efforts of Check Point in identifying potential issues so that we can resolve them before users are impacted,” a TikTok spokesperson said in an email to The Times. “We continue to invest in strengthening our automation defenses to minimize these types of attacks.”
TikTok also said it believed only users that chose to provide their phone numbers could have been affected by any breach and that other private information ought not have been able to be collected by any attacker.
The latest flaw in TikTok’s security mechanisms comes as concerns about its data privacy protections prompted the Trump administration to attempt to banish it entirely. On Monday, White House press secretary Jen Psaki punted when asked about TikTok’s future.
“I haven’t had the opportunity to speak with our national security team about it,” Ms. Psaki told reporters.
Former President Donald Trump signed an executive order last year authorizing the Commerce Department to pursue a ban of TikTok’s app. The Trump administration defended its ban in multiple federal courts, amid lawsuits from users, TikTok, and its parent company ByteDance.
TikTok and ByteDance took their case to a federal appeals court in D.C. to rescue the social media platform late last year. The litigation remains ongoing with revised briefs from the government and TikTok due in the federal appeals court later this week.
TikTok, however, does not appear to be sweating the Biden administration’s potential actions as it did under Mr. Trump.
ByteDance founder Zhang Yiming told employees last month to keep calm and predicted their international struggles would subside, according to Bloomberg news agency.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.